fyi-cli is transitioning to a Rust workspace (fyi-core, fyi-cli, fyi-mcp); the legacy
fyi_system Python package remains as a reference implementation but is not actively extended.
Only the latest released version of each component is supported with security fixes.
| Component | Supported |
|---|---|
Rust workspace (fyi-core/fyi-cli/fyi-mcp), latest release |
✅ |
Legacy fyi_system Python package, latest release |
|
| Any older release | ❌ |
We take the security of FYI Request System seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private vulnerability reporting feature: https://github.com/edithatogo/fyi-cli/security/advisories/new
Please include the following information in your report:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (if applicable)
- Your contact information for follow-up
You can expect:
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Status update: Within 10 business days
- Resolution timeline: Depends on severity (see below)
| Severity | Response Timeline | Description |
|---|---|---|
| Critical | 24-48 hours | Remote code execution, data breach |
| High | 5 business days | Privilege escalation, authentication bypass |
| Medium | 10 business days | XSS, CSRF, information disclosure |
| Low | 20 business days | Minor security issues |
- Report - Submit your findings via email or GitHub advisory
- Acknowledge - We'll confirm receipt within 48 hours
- Assess - We'll evaluate the vulnerability and determine severity
- Fix - We'll develop and test a fix
- Release - We'll release a patched version
- Disclose - Public disclosure after users have had time to update
- We will notify you when the vulnerability has been fixed
- We may request that you keep the vulnerability confidential until a fix is released
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We request that you do not disclose the vulnerability publicly before we release a fix
To keep your installation secure:
- Keep updated - Always use the latest version
- Protect API keys - Store API keys securely, never commit to version control
- Use encryption - Enable encryption for sensitive data
- Review permissions - Regularly audit file permissions
- Monitor logs - Check logs for suspicious activity
- Dependency scanning - Automated vulnerability scanning on every commit
- CodeQL analysis - Static analysis for security issues
- Secret scanning - GitHub secret scanning enabled
- Signed commits - Commit signing encouraged
- Branch protection - Main branch protected
- Required reviews - Pull requests require review
For a list of past security advisories, see: https://github.com/edithatogo/fyi-cli/security/advisories
- GitHub Advisories: https://github.com/edithatogo/fyi-cli/security/advisories/new
Thank you for helping keep FYI Request System secure!